EU AI Act

EU AI Act Article 6: What High-Risk Classification Means for Your AI Agents

AI
AIAgentree Team
AI Compliance
July 5, 2026
12 min read

EU AI Act Article 6 High-Risk Classification

Article 6 of the EU AI Act establishes classification rules for high-risk AI systems. High-risk systems are defined by Annex III categories including employment, credit scoring, healthcare, education, and law enforcement. Organizations must comply by August 2, 2026. Article 6 requirements include automatic logging for decision traceability (Article 12), transparency and explainability (Article 13), and human oversight capabilities (Article 14). Non-compliance carries penalties up to €15 million or 3% of global turnover. Standard execution logs do not satisfy Article 6 — compliance requires structured decision tracing that captures reasoning, evidence, alternatives considered, and accountability. AIAgentree provides Decision Packet infrastructure specifically designed for EU AI Act Article 6 compliance.

Share:
TL;DR

Article 6 of the EU AI Act determines whether your AI system is "high-risk" — triggering mandatory requirements for logging, transparency, and human oversight. Deadline: August 2, 2026.

  • Annex III categories — credit, employment, healthcare, education
  • Article 12 — automatic logging that enables decision traceability
  • Article 13 — transparency and explainability requirements
  • Article 14 — human oversight and intervention capabilities
  • Penalties — up to €15M or 3% of global turnover for non-compliance

Last month, a Tier-1 European bank's AI team got the email no AI lead wants.

The CISO wrote: "Regulator audit incoming. 30 days. Document the last 90 days of AI-assisted credit decisions. Full traceability per Article 6."

The AI team's first response was "we have logs."
Logs are not Article 6 compliant.

Disclaimer: This post is for informational purposes only and does not constitute legal advice. Consult qualified legal counsel for compliance decisions. Regulation text is current as of July 2026; verify citations before relying on them.

Article 6 In Plain Language

Article 6 of the EU AI Act (Regulation 2024/1689) establishes when an AI system qualifies as "high-risk." The classification triggers mandatory compliance requirements that fundamentally change how you must document and govern your AI agents.

Article 6(1): "An AI system [...] shall be considered high-risk where [...] the AI system is intended to be used as a safety component of a product [...] or the AI system is itself a product [...] and is required to undergo third-party conformity assessment."

Article 6(2): "In addition to the high-risk AI systems referred to in paragraph 1, AI systems falling under any of the use cases listed in Annex III shall be considered high-risk."

Translation: if your AI agent makes decisions in the categories listed in Annex III — credit scoring, employment, healthcare, education, law enforcement — it is high-risk by default and must comply with Articles 12-14.

The Annex III High-Risk Categories

Annex III defines 8 categories where AI systems are automatically classified as high-risk:

(1) Biometrics

Facial recognition, emotion detection, biometric identification

(2) Critical Infrastructure

Traffic management, utilities, digital infrastructure

(3) Education

Admission decisions, exam scoring, learning path determination

(4) Employment

Recruitment, performance evaluation, promotion, termination

VERY HIGH RELEVANCE

(5) Essential Services

Credit scoring, insurance pricing, benefits access

VERY HIGH RELEVANCE

(6) Law Enforcement

Evidence evaluation, profiling, risk assessment

(7) Migration & Asylum

Visa applications, border control, asylum processing

(8) Justice

Legal research, case outcome prediction, sentencing

If your AI agents operate in categories 4 (employment) or 5 (essential services), you are almost certainly subject to full Article 6 requirements. These are the highest-volume enterprise AI use cases.

The Three Capabilities Article 6 Demands

High-risk classification triggers three related Articles that define what compliance actually means:

Article 12: Record-Keeping & Audit Trails

"High-risk AI systems shall be designed and developed with capabilities enabling the automatic recording of events ('logs') [...] The logging capabilities shall ensure a level of traceability of the AI system's functioning [...] appropriate to the intended purpose."

Translation: You need logs that enable traceability of decisions — not just API calls, but reasoning.

Article 13: Transparency & Information

"High-risk AI systems shall be designed and developed in such a way as to ensure that their operation is sufficiently transparent to enable deployers to interpret a system's output and use it appropriately."

Translation: Decision outputs must be interpretable. Black-box isn't compliant.

Article 14: Human Oversight

"High-risk AI systems shall be designed and developed in such a way [...] as to enable natural persons to whom human oversight is assigned to [...] fully understand the capacities and limitations of the AI system and be able to duly monitor its operation."

Translation: Humans must be able to understand, monitor, and intervene.

Why Logging Doesn't Satisfy Article 6

Standard execution logs record what happened. Article 6 requires documentation of what was decided and why. These are fundamentally different artifacts.

❌ Execution Log (Not Compliant)

approve_credit(app_id=1234)
score: 0.72
timestamp: 2026-07-01T14:32:11Z
latency_ms: 247
status: 200

Tells you the credit was approved. Does NOT tell you why, what was considered, or what alternatives existed.

✅ Decision Trace (Compliant)

Proposition: Approve credit #1234
PRO: 3-year payment history (weight: 0.9)
PRO: Stable employment (weight: 0.85)
CON: Score below threshold (weight: 0.72)
Override: Analyst approved exception
Rationale: Payment history outweighs score
Outcome (6mo): 0 missed payments

Captures reasoning, alternatives, human oversight, and outcome tracking.

When a regulator asks "why was this credit approved despite the score?", the log has no answer. The decision trace does.

Why Chain-of-Thought Capture Doesn't Satisfy Article 6

Chain-of-thought (CoT) capture seems like a solution — make the model "explain" its reasoning. But there's a fundamental problem:

The CoT Problem

Chain-of-thought is generated post-hoc. It is not faithful to the model's internal computation. Two prompts can produce the same decision with different "explanations." The Commission's working interpretation is moving toward requiring point-of-decision capture, not post-hoc reconstruction.

Decision tracing captures structured artifacts at the point of decision — not reconstructed narratives afterward. This satisfies the Article 12 requirement for "automatic recording" that "enables traceability."

What Decision Tracing Captures (And Why It Satisfies Article 6)

AIAgentree's Decision Packets map directly to Article 6's documentation requirements:

Article 6 RequirementDecision Packet Component
"Traceability of decisions"outcome + rationale_argument_ids
"Consideration of alternatives"alternatives[] + rejected arguments
"Evidence basis"evidence_refs[] with provenance + snapshots
"Human oversight (Art. 14)"decided_by field (agent/human/both)
"Interpretability (Art. 13)"Structured argument tree with pro/con relationships

Sector-Specific Application

Healthcare AI

AI systems assisting with diagnosis, treatment recommendations, or patient triage fall under Annex III. Article 6 requires capturing the clinical evidence considered, differential diagnoses evaluated, and the reasoning chain that led to a recommendation.

Key requirement: Evidence snapshots must freeze the clinical data at decision time. Post-hoc reconstruction from current patient records is not compliant.

Financial Services

Credit scoring, insurance underwriting, and fraud detection are high-risk under category 5. Article 6 requires documenting which factors influenced the decision, how they were weighted, and what would have changed the outcome.

Key requirement: When an applicant asks "why was I denied?", you must be able to cite specific factors from the decision trace — not regenerate an explanation.

HR & Employment

Recruitment screening, performance evaluation, and termination decisions are high-risk under category 4. Article 6 requirements are especially stringent here due to anti-discrimination concerns.

Key requirement: Decision traces must demonstrate that protected characteristics did not influence outcomes. Bias monitoring requires structured reasoning, not just outcome audits.

Timeline & Deadlines

EU AI ACT TIMELINE
Aug 2024
Entry into force
Feb 2025
Prohibited AI banned + AI literacy required
Aug 2025
Governance rules + GPAI obligations
Aug 2026
HIGH-RISK SYSTEMS COMPLIANCE DEADLINE ←

The 90-Day Readiness Checklist

Here's a concrete roadmap to Article 6 compliance:

Week 1-2

Inventory your AI agents

Which systems make or assist decisions? Document each one's intended purpose.

Week 2-3

Classify Annex III applicability

Map each agent to Annex III categories. Determine which are high-risk.

Week 3-4

Audit current logging vs requirements

Compare existing logs against Decision Packet requirements. Identify gaps.

Week 4-8

Deploy decision tracing infrastructure

Integrate AIAgentree's SDK. Begin capturing Decision Packets at decision points.

Week 6-9

Establish human oversight workflows

Define approval queues, override procedures, and escalation paths per Article 14.

Week 9-12

Create regulator-response runbook

Document how you'll respond to a 30-day audit request. Test the response flow.

What This Post Does Not Cover

Boundaries matter. This post specifically addresses Article 6 high-risk classification. It does not cover:

  • Prohibited AI (Article 5) — if your system falls here, compliance is not possible
  • US AI regulation — different frameworks apply; see our US compliance guide
  • The full EU AI Act — Articles 7-86 cover many other requirements
  • Legal advice — this is informational content, not legal counsel

Frequently Asked Questions

What is Article 6 of the EU AI Act?

Article 6 establishes the classification rules for high-risk AI systems under the EU AI Act. It defines when an AI system qualifies as 'high-risk' based on its use in areas listed in Annex III (employment, credit, healthcare, education, etc.) and sets the threshold for mandatory compliance requirements including logging, transparency, and human oversight.

When does EU AI Act Article 6 take effect?

High-risk AI system requirements under Article 6 must be met by August 2, 2026. This is the primary compliance deadline for organizations deploying AI agents in Annex III categories. Some provisions (prohibited practices) took effect earlier in February 2025.

What are the Annex III high-risk categories?

Annex III defines 8 high-risk categories: (1) biometrics, (2) critical infrastructure, (3) education/vocational training, (4) employment/worker management, (5) access to essential services (credit, insurance, benefits), (6) law enforcement, (7) migration/asylum, and (8) administration of justice. AI agents making decisions in these areas must comply with full Article 6 requirements.

What does Article 6 require for logging and traceability?

Article 6 (and related Article 12) requires high-risk AI systems to maintain automatic logging that enables traceability of decisions. This means capturing what was decided, the reasoning basis, alternatives considered, evidence consulted, and human oversight actions — far beyond execution logs that only record API calls and timestamps.

How is decision tracing different from standard logging for EU AI Act compliance?

Standard logs record what happened (API calls, timestamps, errors). Article 6 compliance requires traceability of the decision itself — why it was made, what evidence supported it, what alternatives were considered, and who was accountable. Decision tracing captures this structured reasoning as auditable Decision Packets that satisfy regulatory requirements.

What are the penalties for non-compliance with Article 6?

Non-compliance with high-risk AI requirements carries fines up to €15 million or 3% of global annual turnover, whichever is higher. For the most serious violations (prohibited practices), penalties can reach €35 million or 7% of turnover. For a company with €1B turnover, this means potential fines of €30-70 million.

Does the EU AI Act apply to companies outside the EU?

Yes. The EU AI Act has extraterritorial reach. It applies to any organization whose AI systems are placed on the EU market, whose AI outputs are used within the EU, or whose AI decisions affect EU residents — regardless of where the company is headquartered.

How can I prepare for Article 6 compliance?

Start with a 90-day readiness program: (1) Inventory your AI agents, (2) Classify Annex III applicability, (3) Audit current logging vs Decision Packet requirements, (4) Deploy decision tracing infrastructure, (5) Establish human oversight workflows, (6) Create regulator-response runbooks. AIAgentree provides infrastructure specifically designed for Article 6 compliance.

Related Topics

Related Articles

AI

AIAgentree Team

AI Compliance

The AIAgentree team is building decision tracing infrastructure for AI agents. Our mission is to make AI reasoning visible, auditable, and improvable.

August 2026 is coming.

Book a 30-minute Article 6 readiness check with our compliance team. We'll assess your current state and map the path to compliance.

Book Readiness Check